Standard DNS - RFC2136 and certbot

I'm using certbot on Debian Linux to generate a Let's Encrypt (LE) wildcard cert for my Standard DNS domain. For wildcard certs, only DNS authorization is supported, meaning I have to create a temporary TXT record with a specific value that LE will look for to verify I own the domain. The simpler webroot or webserver plugins, where you place a file in your web document root for the LE servers to find, won't work for wildcard certs.

I have done this successfully through a manual operation where certbot pauses to let me run nsupdate and use my TSIG credentials to create the TXT record, and then wait for the TXT record to propagate before continuing. However the problem comes when it's time to auto-renew the cert (LE certs expire after 90 days). While certbot configures a cron job to auto-renew within 30 days of expiration, it cannot auto-renew with a manual DNS authorization. You must basically re-run the manual operation and request a new cert each time. While this could probably be automated with pre- and post-validation hooks that run shell scripts to do the nsupdate parts, that just seems a bit clunky and brittle to me, especially given certbot's support for DNS plugins.

certbot supports various DNS plugins from several DNS providers that can be used to automate the TXT creation/deletion process and support auto-renewal. Unfortunately DynDNS is not a supported provider. However certbot does offer a "generic" RFC2136 plugin that uses TSIG credentials to automate this process with a compliant DNS server. Since I was able to manually add the TXT record using nsupdate and my TSIG key, I assumed this plugin would work too. Unfortunately on my first attempt I was unable to get it to work with DynDNS.

I'm rebuilding the machine that will handle this cert operation and will be trying the plugin again, but I'm looking for anyone who might have gone down this road before me and can confirm whether or not the RFC2136 plugin works with Dyn Standard DNS?

No real explanation for why it couldn't determine the base domain. After playing around with it and hacking the python code a bit to try and better understand what was going on, I gave up and just wrote manual hook scripts to automate the manual mode and remove all interactivity. I was able to successfully generate a working wildcard cert containing both *.example.org and *.home.example.org (obviously not my real domain), so I'm happy for now.

Supposedly with hook scripts the renewal can be automated. Now to wait until renewal time to see if it works. Unfortunately the --dry-run or --staging options normally used to test out renewal don't work with the ACME v2 API server, which is required for wildcard certs, so I won't really know until the renewal happens in the next 60 days or so. But worst case I know I can re-run the same command-line with the hook scripts to generate new certs, and then just cron that command if I have to.

It's not as clean as I'd have liked with the rfc2136 plugin, but if it continues to work, I can live with it.